Postfix vs. outbound.protection.outlook.com

Microsoft has decided that checking senders hostname using HELO and rDNS is really 90’s, not really a rule and only for loosers and cowards:

https://docs.microsoft.com/de-de/exchange/troubleshoot/antispam-and-protection/cannot-send-emails-to-external-recipients

As an old school admin you have to tune your postfix to let the fluffy cloud mails from visionary early adopter outlook users.

To solve the HELO part of the problem do something like this:

Create

/etc/postfix/specials/check_helo_access

it should contain

outbound.protection.outlook.com sender_white_list

Then create a

/etc/postfix/specials/client_whitelist

file, containing stuff like this

40.92    OK
40.107   OK

Do a

# postmap check_helo_access
# postmap client_whitelist

The edit your

/etc/postfix/main.cf:
smtpd_helo_required = yes
smtpd_restriction_classes = sender_white_list
sender_white_list = check_client_access hash:/etc/postfix/specials/client_whitelist, reject
smtpd_helo_restrictions =
  check_helo_access hash:/etc/postfix/specials/check_helo_access,
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unknown_helo_hostname

This should handle the HELO problem. Maybe yout incoming connections are still dropped bc you check not resolvable IP addresses via

smtpd_client_restrictions = permit_sasl_authenticated,
  permit_mynetworks,
  reject_unknown_client,
  reject_unknown_client_hostname,
  reject_unknown_hostname,
  ...

Then add a line:

smtpd_client_restrictions = permit_sasl_authenticated, 
  permit_mynetworks, 
  check_client_access hash:/etc/postfix/specials/client_whitelist, 
  reject_unknown_client, 
  reject_unknown_client_hostname, 
  reject_unknown_hostname, 
  ...

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.